Security Automation and Orchestration

AI, ML – is it all just BS?

Though we’re easily enamored with new technologies like artificial intelligence and machine learning, do they actually help us solve real problems in the SOC like reducing Mean Time to Resolution (MTTR)?

Read a security-related press release or been to an event recently? You’ve no doubt been wondering how you managed to do your job all this time without Artificial Intelligence (AI) or Machine Learning (ML).

NOW AVAILABLE: Industry’s First Machine Learning Incident Response Platform that Gets Smarter with Every Analyst Action!

Do these technologies really live up to the hype or are they just the latest in a series of new buzzwords?

Despite being positioned as the latest “silver bullet” in security, neither are new concepts. Artificial Intelligence, which in layman’s terms is simply making a computer think like a human, was first discussed at a Dartmouth Summer Research Program in 1956. Similarly, Machine Learning, which is broadly considered a type of Artificial Intelligence and is defined as giving computers the ability to learn without explicit programming, was pioneered by an IBMer named Arthur Samuel in 1959.

Though decades old, Artificial Intelligence and Machine Learning are both garnering interest in the field of cybersecurity. Recent research by ESG surveyed 412 cybersecurity professionals to assess and characterize their knowledge of Artificial Intelligence and Machine Learning as it relates to cybersecurity analytics and operations. The findings show a confusion in the market which is no surprise given the uprise in promises made by vendors.

Two interesting, yet conflicting stats that I noticed in the ESG research are that although 70% don’t understand where Machine Learning and Artificial Intelligence fit in their organization, 82% plan to deploy it! Clearly, we have an opportunity for education.

Artificial Intelligence is a broad term and represents technologies with many approaches, from simply creating rules to handle specific tasks, to highly-sophisticated algorithms that learn correct behavior. Machine Learning is thought to be the most promising form of Artificial Intelligence. Machine Learning uses algorithms and data to learn without being explicitly programmed. This corrects a major limitation with other forms of Artificial Intelligence where rules must be created to handle specific tasks requiring foresight and programming for all possible outcomes in advance. There are many forms of Machine Learning including Decision Tree Learning, Inductive Logic Programming, Deep Learning, Clustering, and others like Reinforcement Learning.

Security Automation & Orchestration platforms are beginning to use Reinforcement Learning, which is a simple form of Artificial Intelligence (and Machine Learning) that automatically determines the actions required to get the best outcome. In the context of SA&O platforms, Reinforcement Learning can make recommendations based on event data, ultimately suggesting automation playbooks that can help solve real problems in the SOC. Guidance when dealing with “known unknowns” (i.e. those cases when we know about the threat but aren’t sure how to respond) is valuable to new and experienced analysts alike.

Though we’re easily enamored with new technologies like Artificial Intelligence, Machine Learning, or even Reinforcement Learning, it’s always useful to step back and ask the bigger question. How do any of these new technologies help us solve real problems like reducing our Mean Time to Resolution (MTTR)?

The reality is that no one technology provides the “silver bullet,” each merely adds another dimension to the solution. While perhaps not as fresh to the market narrative, foundational capabilities like architectural maturity, community collaboration, an open & extensible ecosystem, and feature completeness often do more to make an impact than the “latest thing.”

That’s not to say artificial intelligence, machine learning, reinforcement learning, etc. don’t have a place. I think they’ll play an increasingly important role in the future in providing guidance to an analyst that enables a new level of security handling, one where threats with no associated procedures can be handled effectively through intelligent guidance.

Let’s not get carried away though. Artificial intelligence, machine learning, reinforcement learning are great ways to augment – though not outsmart – the analyst.

This article originally appeared on CSO Online as part of the IDG Contributor Network.